Google's Project Zero bug-hunting team has disclosed a Windows kernel flaw that's being actively exploited by miscreants to gain administrator access on compromised machines.
The web giant's bug report was privately disclosed to Microsoft on October 22, and publicly revealed just seven days later, after it detected persons unknown exploiting the programming blunder. The privilege-escalation issue was identified by Mateusz Jurczyk and Sergei Glazunov of Google Project Zero.
"The Windows Kernel Cryptography Driver (cng.sys) exposes a DeviceCNG device to user-mode programs and supports a variety of IOCTLs with non-trivial input structures," the bug report explains. "It constitutes a locally accessible attack surface that can be exploited for privilege escalation (such as sandbox escape)."
Malware already on a system, or a rogue insider, can potentially exploit this buggy driver to gain admin-level control of a vulnerable Windows box. The flaw, designated as CVE-2020-17087, is the result of improper 16-bit integer truncation that can lead to a buffer overflow.
First, Patch Tuesday. Now, Oh Hell, Monday: Microsoft emits bonus fixes for Visual Studio, Windows 10 security bugs
The Google researchers have posted PoC exploit code tested on Windows 10 1903 (64-bit). They say the cng.sysflaw looks to have been present since at least Windows 7.
The Project Zero report says that Shane Huntley, director of Google's Threat Analysis Group, has confirmed that active exploitation is targeted and "is not related to any US election-related targeting."
A patch is expected by November 10, 2020, which would be the next "Patch Tuesday" from Microsoft.
In an ..